Skip to content
/ GitSecrets Public

A simple way to encrypt secrets in git and decrypt them at runtime.

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

noqcks/GitSecrets

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit

README.md

README.md

 
 

decrypt.sh

decrypt.sh

 
 

install.sh

install.sh

 
 

Repository files navigation

GitSecrets

This repository describes an easy way to store your secrets encrypted in git. I believe that it is preferrable to store your secrets encrypted in git along with your application code for greater repeatability of builds.

Philosophy

We believe that secrets and config are code. This idea is based on foundations laid out by GitOps and Infrastructure As Code.

The most important thing about including cofig/secrets as code is that every single git commit is repeatable. This allows you to rollback to a previous version of your application with ease. It reduces the cognitive load on developers, since we no longer have to think about outside configuration when deploying applications.

How it Works

  1. Secrets are added encrypted to the GitHub repo using ejson-kms (a tool to store encrypted secrets using AWS KMS)
  2. Secret decryption scripts are COPY'd into your Dockerfile.
  3. Your containers/nodes/ECS tasks are given the necessary permissions to decrypt secrets using AWS IAM Roles.
  4. A Docker ENTRYPOINT is added to run the secret decryption script on container boot.

Quick Start

0. Install ejson-kms

See installation

1. Add new secrets file

ejson-kms init --kms-key-id="your-kms-key-id"

2. Add encrypted secrets to Dockerfile

COPY _infra/secrets/ /opt/_infra/secrets/

NOTE: the decrypt.sh file expects secrets to be at _infra/secrets or /opt/_infra/secrets in the Docker image.

3. Add secret install and secret decrypt script to Dockerfile

# EJSON-KMS Install
ADD scripts/install.sh /tmp/install.sh
RUN chmod +x /tmp/install.sh && /tmp/install.sh && rm /tmp/install.sh

# Secret Decryption
ADD scripts/decrypt.sh /usr/local/bin/decrypt
RUN chmod +x /usr/local/bin/decrypt

4. Add Docker entrypoint

ENTRYPOINT  ["./entrypoint.sh"]

The entrypoint.sh file should look like this.

#!/usr/bin/env bash

# add secrets to current env
. decrypt

$CMD "$@"

And then use CMD directive in your Dockerfile to run your application.

CMD ["gunicorn", "app" ...]

5. Add IAM Role to your nodes/ECS tasks

Create an IAM role and attach it to your EC2 instance.

The IAM role should have a policy that includes the following

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "kms:Decrypt"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:kms:us-east-1:AWSACCOUNTID:key/your-kms-key-id"
    }
  ]
}

This will allow the EC2 instance to decrypt secrets created by this KMS ID.

6. Success!

You should now have everything setup. You can store secrets encrypted in git and decrypt them at runtime in your application.

About

A simple way to encrypt secrets in git and decrypt them at runtime.

Topics

kms aws-kms secret-management secrets-management git-secrets ejson-kms

Resources

Readme
Activity

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages